Skip to content

CybOX 3.0: HashType Refactoring

Jump to bottom Edit New page
Ivan Kirillov edited this page Oct 27, 2015 · 26 revisions

Issue Description

There are two main issues with the current structure for characterizing cryptographic hashes in CybOX, the HashType:

  • The structure is overly verbose and heavyweight for the capture and parsing of ubiquitous types of hash values such as MD5, SHA1, and SHA256; it is arguable that these are by far the most prevalent types of hashes in cyber threat related characterization today. Currently, users must first specify the correct value from the default HashNameVocab vocabulary, populate the Type field with this value and set its xsi:type to point to the vocabulary, and then finally populate the Simple_Hash_Value field with the actual hash value:
  <Type xsi:type="HashNameVocab-1.0">MD5</Type>
  <Simple_Hash_Value>3773a88f65a5e780c8dff9cdc3a056f3</Simple_Hash_Type>
  • The structure has separate fields for capturing simple and fuzzy hash values (Simple_Hash_Value and Fuzzy_Hash_Value, respectively), both fundamentally string values. This seems an unnecessary distinction, as simply specifying the type of a hash (e.g., SSDeep) provides the necessary context for identifying it as simple or fuzzy.

Refactoring

For the capture of ubiquitous hash values, we propose the creation of a new CommonHashesType with the following fields. Note that this essentially takes all of the values from the existing HashNameVocab:

Field Type Description
md5_value string Specifies an MD5 hash value.
md6_value string Specifies an MD5 hash value.
sha1_value string Specifies a SHA1 hash value.
sha256_value string Specifies a SHA256 hash value.
sha224_value string Specifies a SHA224 hash value.
sha384_value string Specifies a SHA384 hash value.
sha512_value string Specifies a SHA512 hash value.
ssdeep_value string Specifies an ssdeep fuzzy hash value.

Accordingly, we propose renaming the existing HashType to CustomHashType (and the existing HashListType to CustomHashesType) so that it is used exclusively for custom/non-standard hash values and has the following fields:

Field Type Description
type string Specifies the name of type cryptographic hashing algorithm used to generate the value captured in the hash_value field.
hash_value string Specifies a single cryptographic hash value, of the type defined in the type field.
fuzzy_hash_structure FuzzyHashStructureType Enables the characterization of the key internal components of a fuzzy hash calculation with a given block size.

Impact

Each existing CybOX Object that uses the HashListType, e.g. the File Object, will need to be updated as a result of this change. This will likely entail the deprecation of the existing hashes field and the addition of a new common_hashes field and also a new custom_hashes field.

Example
<file>
  <common_hashes>
    <md5_value>3773a88f65a5e780c8dff9cdc3a056f3</md5_value>
  </common_hashes>
  <custom_hashes>
    <custom_hash>
      <type>superhash</type>
      <hash_value>f49125dac3:352bb35ffrca2:a123dc4599245</type>
    </custom_hash>
  </custom_hashes>
</file>
Add a custom footer
Add a custom sidebar
Clone this wiki locally